The new General Data Protection Regulation (GDPR) passed by the EU in December 2015, will come into effect for every member state on 25th May 2018, but with the UK set to leave the European Union by March 2019 there are complications when it comes to implementing the EU law.
What do I need to know?
The UK government has confirmed that it will implement GDPR in May 2018 as it will be an EU member state at the time of the regulations’ introduction. This affirmation came from the Secretary of State for Culture, Media and Sport, Karen Bradley, and ultimately results in organisations in the UK needing to be GDPR compliant by 25th May 2018.
GDPR is the first major legislative overhaul of European Data Protection law since the drafting of the Data Protection Directive (DPD) in 1995. GDPR is an extension and expansion of DPD that attempts to privilege the individual’s right to have control over their own data.
It will be the first of its kind; a global data protection regulation. Data protection is growing in global importance as online interaction becomes the primary way of carrying out business. The world of data processing has changed substantially since the 1990s and the introduction of GDPR is a welcome development for individuals concerned about their right to access their personal information.
What does this mean for the UK?
While there has been uncertainty among UK business as to whether it would be worth investing in preparations for GDPR compliance given the lack of clarity surrounding Brexit, it is now clear that the United Kingdom is legally bound to implement GDPR because of its member status being unchanged in May 2018. As well as this, regardless of the UK leaving the EU, if any UK business wants to interact with the data of EU citizens in future, they will have to comply with GDPR; it is not only binding for member states. Article 3 in the new regulations discusses which companies could qualify as culpable: “all the processing activities related to the offering of goods or services to data subject of the EU” and all “the monitoring of EU data subject behaviour taking place in the EU”.
One of the most important things to understand about GDPR is that if your business processes or manages any information that pertains to an individual in the EU, you are bound under the new regulations. If your company operates in the UK you will need to adhere to the new regulation or face potentially serious repercussions. These data protection regulations will affect every organisation, based inside and outside the EU, that processes or stores the personal data of EU citizens.
How will GDPR affect me?
If you have a business that deals with the personal data of individuals living in the EU, or use this data to carry out any aspect of your business, you need to make the necessary preparations for GDPR. There are a number of new guidelines that did not appear in the EU DPD that could catch you out and result in up to 4% fines on your global revenue.
A major change that some companies are struggling to realise is the idea that it is who the information pertains to, not where the information is stored that matters. Previously, it was the location of data processing centres that regulated the interactions. Under new law it does not matter where the processing centres are based, it is the subject whose information it is that matters. In other words, you don’t have to be physically established in the EU for the application of GDPR to apply to you.
As GDPR is an extension of DPD there are similarities but also major differences between the regulations. Some of the developments need to be interrogated thoroughly in order to be implemented properly for your business.
Here are some new and important features:
- The Right to be Forgotten: An individual’s right to withdraw their consent of the use or storage of their personal data and to request it be deleted.
- Privacy by Design: Processes that involve interacting with personal data will now be designed to explicitly obtain consent from an individual for their personal data, as oppose to implied consent.
- Breach Notification: When an organisation becomes aware of a security breach of personal data, under this new regulation, they must notify the data authorities within 72 hours of the breach coming to their attention. Subjects will also be notified if the data collected poses a “high risk to their rights and freedom”. Failure to do so may result in a fine.
- Extraterritoriality: If a company collects data about EU subjects, regardless of that company’s physical presence in the EU, they are beholden to the adherence GDPR. This will have a huge effect on e-commerce and other cloud organisations.
Regardless of the UK’s member state status, General Data Protection Regulation is a vast and complex set of laws that must be invested in implementing if one is to continue doing business in the EU, or business with data collected from the EU. Brexit does not render the United Kingdom exempt from global data regulation. It is important to pay attention to the development of the UK’s own data protection laws upon exiting the EU, but for now GDPR should be of paramount importance to every business inside and outside the EU.
Editor’s Note:
From time to time, SensorsTechForum features guest articles by cyber security and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.